System and method for processing a shared secret

ABSTRACT

A method of constructing shares in a secret is disclosed. The method operates in a network comprising a number of computing devices, each arranged to securely store at least one share in the secret k for which n shares are required to reconstruct the secret and to which access to a number m of the shares can be reliably provided at any given time. The method comprises the steps of: determining n shares for an n-of-n secret sharing sheme, each share comprising a value y; storing at least some of the shares in the computing devices such that at least m of the n shares are reliably accessible; determining the shared secret k according to the shares y; determining a further (n-m) shares consistent with the shared secret k and the shares y; and storing the additional shares in a reliably accessible location.

FIELD OF THE INVENTION

[0001] The present invention relates to a system and method forprocessing a shared secret. In particular, the invention relates toobtaining a shared secret from a set of arbitrary numbers.

BACKGROUND ART

[0002] In “How to Share a Secret”, A. Shamir, Communications of the ACM,vol. 22, pp. 612-613, 1979 (Shamir) there is described a method whereby,given two numbers n and m, where m<n, an arbitrary secret can be splitinto n parts (shares), such that any m of the resulting shares can becombined to recover the original secret. The technique ensures thatanyone who has less than m shares is no better off than if they had noshares at all. This technique also allows the sharing of a secret suchthat any m of n shareholders can reconstruct the secret withoutrevealing their shares.

[0003] Referring now to FIG. 1, which illustrates the principlesinvolved in more detail, there is shown a pair of cubic graphs based onthe formula:

y=ax ³ +bx ² +cx+d

[0004] Conventionally, the y value at x=0 is taken to be a secret, andshares in the secret, comprising values from which other y values can bederived, are distributed across n share-holders, in this case n=6,typically servers with which a client computer can connect securely.Using simultaneous equations it will be seen that given any four points,say (x₁,y₁); (x₂,y₂); (x₃,y₃) and (x₄,y₄) on a curve, then any otherpoint on the curve including the secret can be determined—so here m=4.

[0005] In, “Server-Assisted Generation of a Strong Secret from aPassword”, W. Ford and B. Kaliski, Proceedings of the IEEE 9thInternational Workshops on Enabling Technologies: Infrastructure forCollaborative Enterprises, NIST, Gaithersburg Md., Jun. 14-16, 2000(Ford-Kaliski) which in turn refines “Strong Password-Only AuthenticatedKey Exchange”, D. Jablon, Computer Communication Review, ACM SIGCOMM,vol. 26, no. 5, pp. 5-26, October 1996 (Jablon) there is disclosed atechnique (SPEKE) for securely retrieving a number from, for example, aremote server without revealing a password to the remove server.

[0006] So, referring to FIG. 2, using Ford-Kaliski in combination withShamir, a user running an application 12 on a client machine 10 on whichthey do not want to store, for example, their private key can storetheir private key in an encrypted format on a remote credentials storingserver 20. The private key is encrypted with a secret number generatedfrom shares comprising arbitrary numbers y_(i) stored on share-holdingservers B1 . . . Bn.

[0007] Using Ford-Kaliski, once a secret has been constructed by asecret generation component 14, the user can supply their password tothe application on the client machine and a secret re-constructioncomponent 16 of the application connects to all n servers and withoutdisclosing the password, securely obtains m shares y_(i). Points (x₁) ona curve, for example a curve of the type shown in FIG. 1, are calculatedfrom the formula x₁=g^(yi) mod p, where g is a hash version of thepassword and p is 1024-bit prime number. From these points, the secretvalue at x=0 can be determined. The encrypted private key can then bedownloaded from the credentials server and decrypted with the secretvalue, to enable the user of the client to securely communicate withother users or to properly authenticate themselves to other devices on anetwork 30 such as a LAN, Intranet or Internet. So, for example, thesystem can be employed by “hot-desking” bank tellers who regularly usedifferent computer terminals in a bank branch and whose access to bankrecords must be both secure and/or authenticated.

[0008] It can be seen from FIG. 1 that in an m-of-n system more sharesthan are necessary to re-generate a secret can be stored on servers soproviding redundancy in the case of a communication failure with up ton-m of the servers. However, in order for a secret update component 18to change the secret, it must not only be able to re-generate thesecrete but also be able to change the values of all shares of thesecret.

[0009] Many patents reference Shamir, and largely fall into one of anumber of categories:

[0010] Patents which reference Shamir's paper, but do not make use ofsecret sharing techniques:

[0011] U.S. Pat. No. 5,553,145; U.S. Pat. No. 5,629,982; U.S. Pat. No.5,666,420; U.S. Pat. No. 6,134,326;

[0012] U.S. Pat. No. 6,137,884; and U.S. Pat. No. 6,141,750:Simultaneous electronic transactions with subscriber verification;

[0013] U.S. Pat. No. 5,812,670: Traceable anonymous transactions; and

[0014] U.S. Pat. No. 6,055,508: Method for secure accounting andauditing on a communications network.

[0015] Patents which disclose secret sharing for fault-toleranttransmission:

[0016] U.S. Pat. No. 5,485,474: Scheme for information dispersal andreconstruction; and

[0017] U.S. Pat. No. 6,012,159: Method and system for error-free datatransfer.

[0018] Patents which disclose secret-sharing techniques, where thesecret is not updated, as in:

[0019] U.S. Pat. No. 5,315,658; USRE036,918: Fair cryptosystems andmethods of use;

[0020] U.S. Pat. No. 5,495,532: Secure electronic voting using partiallycompatible homomorphisms;

[0021] U.S. Pat. No. 5,666,414: Guaranteed partial key-escrow;

[0022] U.S. Pat. No. 5,708,714: Method for sharing secret informationand performing certification in a communication system that has aplurality of information processing apparatus;

[0023] U.S. Pat. No. 5,768,388: Time delayed key escrow;

[0024] U.S. Pat. No. 5,825,880: Multi-step digital signature method andsystem;

[0025] U.S. Pat. No. 5,903,649: Method for establishing a common codefor authorized persons through a central office;

[0026] U.S. Pat. No. 5,991,414: Method and apparatus for the securedistributed storage and retrieval of information;

[0027] U.S. Pat. No. 6,192,472: Method and apparatus for the securedistributed storage and retrieval of information; and

[0028] U.S. Pat. No. 6,026,163: Distributed split-key cryptosystem andapplications.

[0029] Miscellaneous patents, such as:

[0030] U.S. Pat. No. 5,764,767: System for reconstruction of a secretshared by a plurality of participants, which provides a mechanism forupdating a shared secret, however, all the locations where the secretsare stored are active participants in updating the secret;

[0031] U.S. Pat. No. 5,867,578: Adaptive multi-step digital signaturesystem and method of operation thereof, where the shares change but thevalue of the shared secret is maintained; and

[0032] U.S. Pat. No. 6,122,742: Auto-recoverable and auto-certifiablecryptosystem with unescrowed signing keys, which uses a shared function,not a shared secret.

[0033] Pieprzyk discloses a method of constructing shares in a secret kcomprising the steps of: determining n shares for an n-of-n secretsharing scheme, each share comprising a value y; storing at least someof said shares in computing devices such that at least m of said nshares are reliably accessible; and determining the shared secret kaccording to said shares y.

[0034] It will be seen, however, that none of these documents disclosesbeing able to update a shared secret without having access to all theshareholders of the secret. This becomes an important requirement whenclients such as that shown in FIG. 2 are accessing shareholder serversacross unreliable links such as network links or communication links orlinks through which bandwidth may need to be regulated by, for example,a load-balancing server (not shown) which may prevent or unduly delay aclient's access to a shareholder server.

DISCLOSURE OF THE INVENTION

[0035] According to a first aspect of the present invention there isprovided, a method characterised by m being less than n and by the stepsof: determining a further (n-m) shares consistent with the shared secretk and the shares y; and storing the additional shares in a reliablyaccessible location.

[0036] According to a second aspect of the invention, there is providedin a network comprising a number of computing devices, each arranged tosecurely store at least one share in a secret k for which n shares arerequired to reconstruct the secret and to which access to a number m ofsaid shares can be reliably provided at any given time, a method ofreconstructing said secret comprising the steps of: securely obtaining mshares from one or more secret share holders including at least one ofsaid computing devices; characterised by m being less than n and by thesteps of: obtaining (n-n) shares from a reliably accessible location;and constructing the shared secret k according to said obtained shares.

[0037] There is further provided a method of updating the secretemploying the second aspect of the invention.

[0038] Further aspects of the invention are embodied as respectiveapparatus and computer program products for generating and constructingand updating a shared secret.

[0039] In contrast with the prior art where clearly it is consideredessential that none of the shares of a secret is public, the presentinvention uses additional public shares to implement the invention.

[0040] In the present invention some of the shareholder storagelocations need not be aware that an update to a shared secret isoccurring. The invention therefore allows the following two operations:

[0041] given any n arbitrary numbers, a shared secret k can beconstructed and reconstructed using any m of those numbers, with thehelp of public data stored on a data storage device; and

[0042] the shared secret can be changed without having to access all ofthe stored shares.

[0043] The invention is particularly useful because it is notnecessarily the case that n random numbers will form a consistentm-from-n set of shares. However, there may be cases (as will beexplained below) where an entity has access to several separate,long-lived and random values and cannot guarantee that it will haveaccess to all of them at any one time. In this case, this inventionallows the entity to combine the values from different locations in sucha way that if the entity doesn't contact them all, it doesn't matter;and if an attacker is able to intercept the values from any number lessthan m of the locations, that attacker will be unable to reconstruct thesecret from the intercepted values.

[0044] Various embodiments of the invention will now be described by wayof example with reference to the accompanying drawings in which:

[0045]FIG. 1 illustrates prior art functions based on secret shares todetermine a secret;

[0046]FIG. 2 illustrates a prior art network across which shares of ashared secret can be accessed and updated;

[0047]FIG. 3 illustrates functions based on secret shares and one publicshare to determine and update a secret according to the invention; and

[0048]FIG. 4 illustrates a network across which shares of a sharedsecret can be accessed and updated according to the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0049] The principle of operation of the invention is explained inrelation to FIG. 3. If points (x₁,y₁); (x₂, y₂); (x₃,y₃) and (x₄, y₄)correspond with four shares of a 4-from-4 secret sharing scheme, but itis decided that communication can only be established reliably with say3 of the 4 shareholders, then a fifth public share (x₅,y₅) is generatedand stored at a reliably accessible location, for example, in thecredentials server 20′, FIG. 4. The scheme now becomes a 4-from-5scheme, where one of the shares is public. Thus, any three of the secretshares can be combined with the public share, to re-generate the secret(0, Original secret).

[0050] To update the secret, again any three of the secret sharesobtained (in this case (x₁,y_(l)); (x₂,y₂); and (x₄,y₄)) along with thepublic share (x₅,y₅) are used to determine the secret. The secret isthen changed to (0, New secret) and each of the three secret sharevalues as well as the public share (x₅,y₅) value are updated, butleaving the share value of any unobtained shares, in this case (x₃,y₃),unchanged.

[0051] Extending the principle further, if it is decided thatcommunication can only be established reliably with say 2 of the fourshareholders, then two public shares are generated and stored at thecredentials server 20′. The scheme now becomes a 4-from-6 scheme, wheretwo of the shares are public. Thus, any two of the secret shares can becombined with the public shares to re-generate the secret.

[0052] It will, therefore, be seen that in an m-from-n secret sharingscheme, for each share (n-m) on which the client does not wish to relyto re-generate or update the secret, an additional public share isgenerated, thereby giving an n-from-(2n-m) scheme where n-m of theshares are public.

[0053] While the above examples appear to lessen the level of securityby reducing the number of secret shares required from a starting pointwith a given number of servers, it will be seen that any level ofsecurity and redundancy can be employed using the invention. Thus, forany required level of security, that is secret shares required m, andredundancy, that is total servers less required shares (n-m), then usingthe invention (n-n) additional shares are employed within a conventionaln-from-(2n-m) scheme.

[0054] Referring now to FIG. 4 which illustrates an exemplaryimplementation of the invention, an application 12 running on the client10 has secure but unreliable communications with n data storage devices,for example, the share holding servers B1 . . . Bn, and an insecure butreliable connection to another data storage device S, for example, onthe credentials server 20′. Each of the data storage devices Bi returnsto the client random value yi.

[0055] To get a secret, which can be reconstructed given only m of theyi, a secret generation component 14′ of the application 12, does thefollowing:

[0056] 1. obtains (possibly by generating them) all of the yi;

[0057] 2. treats the yi as shares in an n-of-n scheme, and reconstructsthe shared secret k given by them;

[0058] 3. generates a further (n-m) shares consistent with k and the yi;and

[0059] 4. stores these additional shares on the reliable data storagedevice S.

[0060] fTo reconstruct the secret in subsequent sessions, the secretre-construction component 16′ does the following:

[0061] 1. obtains the (n-n) shares from the reliable data storage deviceS; and

[0062] 2. contacts m of the data storage devices Bi and retrieves arespective yi from each.

[0063] Since the client now has n of the shares, the secret generationcomponent 16′ can now reconstruct the secret k and so the clientapplication 12 or other client applications can use the secret to, forexample, decrypt the encrypted private key for the user of the clientmachine.

[0064] The above technique can be used to update the secret even in thecase where not all the data storage devices Bi are online. In the updateprocedure, a secret update component 18′ does the following:

[0065] 1. obtains the (n-m) shares from the reliable data storage deviceS;

[0066] 2. contacts m of the data storage devices Bi and retrieves arespective yi from each;

[0067] 3. reconstructs the secret k; and also deduces from the retrievedshares yi the values of the shares for those data storage devices thatdid not respond;

[0068] 4. in general, engages in a process such that at the end somedata storage devices are known to have new shares yi′ associated withthem and some are known to only have the old shares yi, for example, by

[0069] generating any number less than n of new shares yi′ andtransmitting each new share yi′ securely to the appropriate data storagedevice Bi, requesting confirmation that they have been received; or

[0070] requesting each data storage device to generate and return a newshare yi′;

[0071] 5. generates a new shared secret k′ using the following shares:

[0072] for each Bi which didn't get a new share yi′ generated for it, orwhich is known not to have received the yi′ it was sent, or which didn'tgenerate a new share yi′, use the old share yi;

[0073] for each other Bi, use the new share yi′. This gives a sharedsecret that is consistent with the shares known by each of the Bi;

[0074] 6. generates a further (n-n) shares which are consistent with theyi′ and yi used; and

[0075] 7. stores these additional shares on the reliable data storagedevice S.

[0076] In a more detailed example, the secret sharing scheme is based onShamir's scheme which uses Lagrange polynomial interpolation over thegroup Z*p, where P is a 1024-bit prime number and the random numbers areobtained using a refinement of the Ford-Kaliski scheme which, in turn,refines Jablon's SPEKE technique.

[0077] The system is based on two primes: p, a large (typically1024-bit) prime with respect to which we perform modular exponentiation;and r, which is the smallest prime that is 160 bits long.

[0078] To generate share-holder servers' shares, the secret generationcomponent 14′ generates a number g<p from the user provided password.For each server Bi, the component 14′:

[0079] picks a random wi, 160 bits long.

[0080] calculates g{circumflex over ( )}wi mod p; and

[0081] truncates the result to be 159 bits long. The result is yi, to bestored on the servers Bi.

[0082] Note that all the yi will be less than r and that the client nowhas n shares yi, i=1 to n. There is one polynomial f of degree (m-l)over the integers mod r, which passes through the n points (i, yi).

[0083] To generate the additional shares, the secret generationcomponent 14′:

[0084] calculates the n coefficients of the polynomial, f( );

[0085] calculates the value of f(0). This is the shared secret; and

[0086] calculates the value of f(i), for i=n+1 to 2n-m. These are theadditional shares. They can all be stored as 160-bit numbers.

[0087] To recombine the shares, the secret re-construction component16′:

[0088] retrieves yi from m of the Bi—this is done by the method outlinedin Ford-Kaliski;

[0089] retrieves the additional shares numbered n+1 to 2n-m from theadditional server S. This gives the client n shares in total. There isone polynomial of degree (n−1) over the integers mod r, which passesthrough the n points (i, yi); and

[0090] calculates the n coefficients of this polynomial, f( ), and thencalculates f(0). This is the shared secret.

[0091] Once the secret has been re-constructed it can be updated asoutlined previously.

[0092] While the preferred embodiments described above are illustrativeof the invention, it will be seen that many variations of the inventionare possible.

[0093] For example, it is not necessary that the additional publicshares are stored on the server 20′ remote from the client 10, only thatthe additional shares are reliably accessible when the secret is to beupdated. So, for example, the additional shares may be stored in anycomputer readable medium such as a floppy disk, smart card etc.

[0094] It will also be seen that the components 14′, 16′, 18′incorporating the invention need not all be included in the sameapplication. Specifically, the secret generation and updated componentsmay run in applications or even computers independently of the standalone secret re-construction component.

[0095] Similarly, it will be seen that not all secret shares need to bestored on remote servers only that at least m of the n shares arereliably accessible when the secret is to be re-constructed or updated.So, for example, the secret shares may be stored in any computerreadable medium such as a floppy disk, smart card etc.

[0096] It will also be seen that the invention is not strictly limitedto the use of either the Shamir secret sharing technique or theFord-Kaliski technique for securely obtaining secret shares. So, forexample, it is not strictly necessary that the share values are used toconstruct a polynomial of the type employed to illustrate the operationof the invention.

[0097] Finally, it will be seen that the claims are not strictly limitedto the order of the steps or features recited and that where possiblethe invention can be implemented in any order or even with steps beingperformed in parallel.

1. In a network comprising a number of computing devices, each arranged to securely store at least one share in a secret k for which n shares are required to reconstruct the secret and to which access to a number m of said shares can be reliably provided at any given time, a method of constructing shares in a secret comprising the steps of: determining n shares for an n-of-n secret sharing scheme, each share comprising a value y; storing at least some of said shares in said computing devices such that at least m of said n shares are reliably accessible; determining the shared secret k according to said shares y; characterised by m being less than n and by the steps of: determining a further (n-m) shares consistent with the shared secret k and the shares y; and storing the additional shares in a reliably accessible location.
 2. In a network comprising a number of computing devices, each arranged to securely store at least one share in a secret k for which n shares are required to reconstruct the secret and to which access to a number m of said shares can be reliably provided at any given time, a method of reconstructing said secret comprising the steps of: securely obtaining m shares from one or more secret share holders including at least one of said computing devices; characterised by m being less than n and by the steps of: obtaining (n-m) shares from a reliably accessible location; and constructing the shared secret k according to said obtained shares.
 3. In a network comprising a number of computing devices, each arranged to securely store at least one share in a secret k for which n shares are required to reconstruct the secret and to which access to a number m of said shares can be reliably provided at any given time, a method of updating said secret comprising the steps of: reconstructing said secret k according to the steps of claim 2; deducing from the obtained shares the values of the shares for the unobtained n-m shares of the secret; determining for each location from which a share was securely obtained a new share value y′; determining a new shared secret k′ according the new share values y′ and the unobtained share values; storing at least some of said new shares in said computing devices such that at least m of said new shares and said unobtained shares are reliably accessible; generating additional (n-m) shares which are consistent with the new share values and the unobtained share values; and storing the additional shares in a reliably accessible location.
 4. A method according to claim 3 wherein said step of determining for each location from which a share was securely obtained a new share value y′ comprises: generating said new shares y′ and transmitting at least one new share y′ securely to one of the computing devices; and requesting confirmation that they have been received.
 5. A method according to claim 3 wherein said step of determining for each location from which a share was securely obtained a new share value y′ comprises: requesting each location from which a share was securely obtained to generate and securely return a new share y′.
 6. Apparatus for constructing shares in a secret and operable within a network comprising a number of computing devices, each arranged to securely store at least one share in a secret k for which n shares are required to reconstruct the secret and to which access to a number m of said shares can be reliably provided at any given time, comprising: means for determining n shares for an n-of-n secret sharing scheme, each share comprising a value y; means for causing at least some of said shares to be stored in said computing devices such that at least m of said n shares are reliably accessible; means for determining the shared secret k according to said shares y; characterised by m being less than n and by: means for determining a further (n-m) shares consistent with the shared secret k and the shares y; and means for causing the additional shares to be stored in a reliably accessible location.
 7. Apparatus for reconstructing a secret and operable in a network comprising a number of computing devices, each arranged to securely store at least one share in a secret k for which n shares are required to reconstruct the secret and to which access to a number m of said shares can be reliably provided at any given time, comprising: means for securely obtaining m shares from one or more secret share holders including at least one of said computing devices; characterised by m being less than n and by: means for obtaining (n-m) shares from a reliably accessible location; and means for constructing the shared secret k according to said obtained shares.
 8. A computer program product for constructing a secret, said computer program product being arranged to perform the steps of claim
 1. 9. A computer program product for re-constructing a secret, said computer program product being arranged to perform the steps of claim
 2. 10. A method as claimed in claim 1 wherein the step of determining n shares comprises: determining n possibly arbitrary numbers w, said values y being calculated from said numbers w. 